Solved: How to configure props.conf to recognize the exact...

msantich · ‎11-05-2014

events from a particular source have timestamps formatted as follows: hh:mm.ss,ssss - example
02:07.21,0241

this is a strange format to be sure, and splunk does a pretty good job at "guessing" and yeilds
02:07:00.000

but our security guys aren't satisfied with this and they'd like splunks timestamp to match the event timestamp

in looking at strptime() documentation (by the way we're at splunk version 4.2.5), I see examples that suggest that using strptime() will limit me to precision year/month/day. I'm not seeing how to specifiy hour, minute, second, decimal second.

any ideas to help.

thanks so much
MichaelS

martin_mueller · ‎11-05-2014

In props.conf you should set this under that sourcetype:

TIME_FORMAT = %H:%M.%S,%4N

That's assuming the 0241 part is 100-microsecond precision (1/10000th second).

View solution in original post

martin_mueller · ‎11-05-2014

In props.conf you should set this under that sourcetype:

TIME_FORMAT = %H:%M.%S,%4N

That's assuming the 0241 part is 100-microsecond precision (1/10000th second).

msantich · ‎11-05-2014

Thank you sir.

How to configure props.conf to recognize the exact timestamp format hh:mm.ss,sss in our data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!